[squid-users] [EXTERNAL]Re: URL Regex ACLs Don't Evaluate After Bumping

Shane Poage Shane.Poage at entrustdatacard.com
Fri Nov 2 15:54:47 UTC 2018 

If I understand you correctly, my original squid.conf had an ACL directive corresponding to the functionality in question:

	acl CONNECT method CONNECT

Regardless, I added that back to my config and re-tested both with it inline and stand-alone. My results as follows:

http_access allow CONNECT artifactory_repo_filter
	This resulted in no traffic being passed, just like without the
	CONNECT ACL present. I assume this is what you were telling
	me to do because it's what made the most sense based off
	of your description of the problem, but it did not have the
	desired effect.

http_access allow CONNECT
http_access allow artifactory_repo_filter
	This resulted in all SSL traffic being permitted and passed through
	the proxy. This makes sense to me because the allow CONNECT
	would whitelist all CONNECT traffic, which is what all SSL traffic is
	by my understanding. I didn't think this is what you meant, but I
	tried it anyway to be sure.

Have I misunderstood you somehow, or is it not behaving as expected?

On 11/1/18, 6:21 PM, "squid-users on behalf of Alex Rousskov" <squid-users-bounces at lists.squid-cache.org on behalf of rousskov at measurement-factory.com> wrote:
    On 11/1/18 2:46 PM, Shane Poage wrote:
    
    > I have my proxy configured to bump all traffic so that the
    > urlpath_regex ACL can be applied, but it appears to not have any
    > effect post-bump.
    
    Your proxy will deny any first post-bump request and close the tunnel
    because you deny all CONNECT requests that initiate tunnels. CONNECT
    requests do not have a URL path so they will never match your
    "http_access allow" rule.
    
    When a CONNECT request is denied by a bumping Squid, that Squid bumps
    the tunnel and then denies the very first bumped request on that tunnel,
    whatever that request is. This delayed error return is done to deliver
    the "access denied" error page to the client -- browsers ignore CONNECT
    error responses.
    
    
    > http_port 3128 ssl-bump \
    >   cert=/etc/squid/ssl_certs/artifactory_mitm_ca.pem \
    >   generate-host-certificates=on \
    >   dynamic_cert_mem_cache_size=4MB
    
    > ssl_bump bump all
    
    > acl artifactory_repo_filter urlpath_regex ^/artifactory
    > http_access allow artifactory_repo_filter
    > 
    > # And finally deny all other access to this proxy
    > http_access deny all
    
    Insert an http_access rule to allow all safe CONNECT requests before you
    deny everything else. IIRC, squid.conf.default has an example of how to
    do that.
    
    Alex.
    _______________________________________________
    squid-users mailing list
    squid-users at lists.squid-cache.org
    http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list